The Cyber Safety Review Board (CSRB) is at a fork in the road. President Biden established the CSRB four years ago, charged with the task of reviewing “significant cyber incidents” and “provid[ing] recommendations … for improving cybersecurity and incident response practices.” A federal advisory body loosely modeled after the National Transportation Safety Board (NTSB), the CSRB was created in the hopes of improving the nation’s digital security and resilience.
In its first three years, the board conducted three complete reviews. The inaugural CSRB report examined the widespread Log4J/Log4Shell vulnerability and made recommendations including enhanced reporting, threat monitoring, and cultural shifts in security practices. The second report analyzed the Lapsus$ hacking group and how it used simple tactics to compromise major organizations, recommending transitioning to phish-resistant authentication and improving telecom carrier security. The third report—and arguably the most significant—examined China’s wholesale compromise of Microsoft Exchange Online in 2023, which had allowed the adversary to steal tens of thousands of emails from numerous high-level U.S. government accounts. The board found that the intrusion was preventable, identified response failures, and criticized Microsoft’s security culture. It also made recommendations for overhauling enterprise security and incident transparency.
The board also initiated a fourth review, investigating China’s intrusion into U.S. telecommunications by a People’s Republic of China (PRC) threat group the private sector dubbed “Salt Typhoon.” However, immediately after Inauguration Day—and before that review could be completed—the Trump administration dismissed the CSRB’s members. It has yet to appoint new ones. However, the administration maintained the executive order that established the CSRB despite repealing other cyber-related executive orders, suggesting that it may receive new life.
As a former Biden cyber official who helped create the CSRB, I hope the administration appoints new members and uses this opportunity to improve on the structure we created.
Background
The recommendations that follow come from hands-on experience; I led the team on the National Security Council that drafted Executive Order 14028 in 2021, so I know the intent behind it. As a senior White House official, I oversaw the board’s work and had the opportunity to observe it from the outside. And later, I worked on the board, first as a senior adviser to the chair during the Microsoft Exchange review, and then as a board member during its final, aborted review.
First, a few words on why the CSRB exists. Cybersecurity is foundational to U.S. national and economic security—and the United States ignores lessons from major incidents at its own peril. The CSRB can help mitigate these risks.
Case in point: The Microsoft Exchange Online review uncovered previously undisclosed, significant, preventable errors that gave China almost unimaginable espionage reach. The Chinese had “full access to essentially any Exchange Online account anywhere in the world.” The board’s March 2024 report challenged the company to return to a security-first culture. In response, Microsoft Chairman and CEO Satya Nadella issued a directive entitled “Prioritizing security above all else” to the entire company, which stated, “If you’re faced with the tradeoff between security and another priority, your answer is clear: Do Security” (emphasis in original).
This is no small feat. The CSRB, then not even three years old, moved one of the world’s most valuable companies to take dramatic, public action. As a nation, the U.S. has already benefited from the board’s work, as well as from Microsoft’s willingness to cooperate and to make commendable changes.
However, based on my experiences, the CSRB has room for improvement. The board needs clearer, public guidelines on what type of incidents it will review, and it should be structured in a way that allows it to select only appropriate cases when necessary. This structure should also be flexible, so that it can adapt to the needs of each review, and should include new tools to ensure cooperation across the public and private sectors. Finally, the administration must make clear that the board is an independent entity, separate from the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies.
Recommendations
Hindsight is 20/20. Although we had many successes in establishing the CSRB, after initiating four reviews and completing three, here is what I would do differently or at minimum clarify.
Recognize That Action Does Not Equate to Outcome
Phrased differently, inactivity between reviews is not necessarily negative. The CSRB is most effective when it is investigating an actual, significant incident (think Microsoft Exchange intrusion). In the absence of a major incident, the board should not search for something that is worthy of review to appear “active.”
That said, there are a number of challenges associated with this model. A review requires significant staff and infrastructure, and while the board members themselves can return to their day jobs, the humans who make up that support system need work in the absence of an ongoing review. Few organizations, whether government or private sector, are structured in a way that allows a high-performing team to sit dormant for an unknown period of time. The overall comparison of the CSRB to the NTSB is loose, but here, the NTSB’s operations could provide some guidance. Between incidents, NTSB staff perform a variety of functions, including tracking the implementation of recommendations, accident trend analysis, and broader safety training. The administration should use this model as a template to identify ongoing, steady-state work for the CSRB support team.
Clarify What Is “Worthy of Review”
The administration should set clear guidelines about what merits review and how the board will decide to initiate a new effort. The executive order that created the board provided very limited guidance, stipulating only that the CSRB should review a “significant cyber incident” as defined in other government policy documents.
This is insufficient guidance. We should have provided much clearer standards, and the administration should take this opportunity to amend the board’s charter with more specific language about when, how, and why it will initiate a review. This should account for several factors.
First, the board should review incidents, not issues or threat groups, and it should scope its reviews more narrowly. The board is not—and should not try to be—a government-chartered think tank; rather, it should fill gaps that the private sector, academia, and civil society cannot.
Applying this standard to the reviews to date, Microsoft Exchange clearly meets the bar—this was a specific, definable incident that the board was uniquely positioned to examine given its ability to interview the key players. Lapsus$ Group, by contrast, does not meet this standard; by its very title it was a review of Lapsus$ “and related threat groups” (emphasis added). While this generated positive recommendations, there was no unique government insight or ability brought to bear here, as the threat actor was well known to industry and was the subject of numerous publications. Log4j is a close call but probably makes the cut—this vulnerability has unprecedented reach and will be with us for a generation or more. Finally, the Salt Typhoon telecommunications intrusion also clearly meets this standard—subject to its timing and other considerations laid out below.
Second, the incident must have had—or be capable of having had—significant, systemic security and economic impact. The board should limit its work to incidents that pose threats like major degradation of U.S. defense readiness, compromising intelligence operations, or significantly degrading critical government services. Nation-state espionage or sabotage could also merit review.
Third, the board’s work should not duplicate other reviews. If the private sector, other government agencies, or U.S. international partners are devoting sufficient energy and attention to an intrusion, the board does not need to put its own stamp on the issue absent a unique ability to investigate some facet of the event.
Fourth, the board should take on a review only when it believes its product will provide tangible results that improve security. This can be directly through remediation recommendations or indirectly through systemic changes such as Microsoft’s renewed commitment to security. But the board is not merely an investigative body, and it was not created to uncover truth for truth’s sake. It exists to drive security and resilience improvements that will benefit all Americans, and if a review will not produce tangible results, then the board should refrain from taking it on.
Fifth, the board should not initiate a review while an incident is still ongoing. Here, the NTSB analogy falls short—transportation accidents typically have clear beginnings and endings, while a cyberattack or intrusion is almost always an ongoing incident. Until it is contained, all parties involved need to focus on incident response and recovery—they need to stop the proverbial bleeding. The immediate needs of a review, however warranted, will at a minimum distract responders and divert resources. At worst, a review could create tension between the government and the private sector, limit partnership and information sharing, and ultimately make a bad situation worse.
That said, there will likely be many instances where the choice of whether to begin a review is not obvious. But it is likely (in the words of Justice Potter Stewart, albeit in a different context) that we’ll know it when we see it.
Make the CSRB Composition Adaptable
The board membership is a mix of government and private-sector experts. That’s a good thing—cyber expertise resides across government, companies, academia, and civil society, and we need all of these perspectives to get a review right. But the nature of many incidents results in frequent member recusals; by design, board members come from the tech sector and have connections to (and information about) many companies.
Additionally, reviews often require a deep dive into specific technologies, and the board needs to be able to bring on additional expertise specific to a case. Right now, the board can add subject matter experts for individual reviews but cannot easily add voting members. It needs flexibility to expand for individual reviews to ensure it has enough members with the appropriate expertise for each review. The administration should give the board the ability to add temporary voting members to fill those gaps.
Granting Limited Authority to Compel Cooperation
As currently structured, the CSRB cannot compel a company or an organization to cooperate with a review. To date, that has proved relatively successful, as demonstrated by Microsoft. However, some companies may prove less forthcoming than Microsoft; it is easy to imagine a scenario in which a company or an entity refuses to provide information or meet with the board, undermining or even preventing a review.
To address this, the administration should give the board limited authority to compel cooperation—whether through administrative subpoena or otherwise. There should be strict controls on this power, which could include review and approval by appointed officials outside of the board itself. But the very existence of this power is likely to preclude the need to use it; companies are less likely to resist review if they are aware that a mechanism is in place.
Establish the Independence of the CSRB From CISA, the FBI, the NSA, and Other Federal Agencies
For the good of the board and of other agencies, the board must not only be independent but also be perceived as such. This was perhaps the biggest mistake we made when designing the board. Executive Order 14028 directs the secretary of homeland security to establish the board, in consultation with the attorney general. And per its charter, the board makes recommendations to the secretary through the director of CISA. Thus, the public and the private sector largely saw the board as a creature of CISA.
The flaw in this construct became painfully apparent during the Salt Typhoon incident response in late 2024; companies, including victims, were concerned that CISA would share incident response information directly with the board. And while the same could be true for the FBI and the National Security Agency (NSA), which hold seats on the board, the problem was particularly acute for CISA.
Beginning in the late fall of 2024 and until my departure from CISA on Jan. 20, I spent considerable time publicly and privately assuring our partners that all information sharing protections applied irrespective of the existence of the review. CISA’s incident response work was not, and would not ever be, a back channel investigative tool for the CSRB. Astonishingly, corporate entities were more comfortable sharing sensitive and sometimes embarrassing information with agencies charged with criminal investigations and intelligence collection than with one whose sole mission is cyber defense.
The administration needs to address this, and companies that are working with the FBI, NSA, CISA, or any other federal entity during an incident response or a hunt need to know that their interactions will not be disclosed to the board without their consent or other existing legal requirements. Anything else risks limiting operational coordination and information sharing during a crisis event, when even the shortest delay can have significant consequences. The administration should find a new home for the CSRB management team, perhaps in the Office of the National Cyber Director. It should also amend the board’s charter to make clear that the board has no direct or special access to investigative or response work conducted by agencies that have standing seats on the board.
***
Major cyber incidents are not going to disappear anytime soon. The CSRB has already proved its worth, and the nation will need the board’s work even more in the years to come. While cyber risk is not a problem we can solve, it is one we can manage. A reconstituted and reenergized CSRB can play an essential role in the U.S.’s ability to combat cyber threats.
– Jeff Greene is a Distinguished Fellow with the Aspen Institute’s Cyber Program. He served as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency and the Chief of Cyber Response and Policy on the National Security Council during the Biden Administration. Before that he was the Director of the National Cybersecurity Center of Excellence at the National Institute of Standards and Technology and was an executive in a cybersecurity company. Published courtesy of Lawfare.
